2 Medicaid Data Breaches, 1 Weak Link: Employees


Second data breach at a state Medicaid agency in less than a month shows need to limit employee access to confidential data, regardless of other security procedures.

By Ken Terry,  InformationWeek
April 24, 2012
URL: http://www.informationweek.com/news/healthcare/security-privacy/232900817

For the second time in less than a month, there has been a major data security breach at a state Medicaid agency. The South Carolina Department of Health and Human Services (SCDHHS) discovered on April 10that an employee of the state’s Medicaid program had transferred personal information of 228,435 Medicaid beneficiaries to his personal email account.

After the department detected the transfers, it contacted the state law enforcement agency. The employee was terminated, and the affected individuals were notified of the security breach. Christopher Lykes Jr. of Swansea, Ga., has been arrested and charged with the offense, according to South Carolinian website The State.com. AdTech Ad

Just a few weeks ago, hackers broke into a server at the Utah Department of Technology Services and stole Medicaid records of 780,000 people. Of those, about 280,000 had their Social Security numbers compromised. Less-sensitive personal information on an additional 500,000 individuals, including names, addresses, dates of birth, and diagnostic codes, also was stolen.

In the South Carolina case, the compromised records had patient names, phone numbers, addresses, birth dates, and Medicaid ID numbers, but no private medical records or financial information. In 22,604 cases, the records included Medicare numbers that contained Social Security numbers.

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS’ top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

To address the possibility of identity theft, SCDHHS is offering a free year of identity protection services to every affected individual. The service, provided by Experian, includes a free credit report, daily credit monitoring, and a $1 million identify theft insurance policy. In addition, the department has created a website and a toll-free number to answer the questions of affected beneficiaries.

Meanwhile, the SCDHHS announcement said, the department is impounding all files and computers where the compromised information might have been stored; has frozen access for much of its staff to software that allows the aggregation of personally identifiable information; and has hired an external IT security firm to conduct a risk assessment of its data and IT systems security.

The risk of this type of transfer of confidential information by employees is increasing because many organizations are using Web browsers as the primary platform for viewing information, Bill Morrow, a security expert and CEO of Quarri Technologies, told InformationWeek Healthcare.

“Standard Web browsers contain critical security gaps that create significant risks to organizations’ confidential data, and online resources like webmail and social networking sites can be open windows for data leakage,” he said. “A careless or malicious employee can easily steal company trade secrets, intellectual property, or leak sensitive customer information.”

Employees can access such information regardless of whether their organization uses an on-premises server or a remote server. But organizations, including healthcare providers, are increasingly using browsers to link together multiple sites and provide mobile access to systems, Morrow noted.

Moreover, many healthcare organizations are moving toward the use of cloud-based applications that are accessed over the Internet. In a recent Harris Interactive survey, nearly 60% of CIOs in healthcare systems that had an EHR and a health information exchange said they planned to invest in “cloud-based open systems.” Storage and retrieval of medical imaging data in the cloud also is becoming widespread.

The best way to prevent employees from using browsers to replicate confidential information, Morrow said, is to deploy what he calls “hardened browsers,” which are available from several vendors. Such a viewing platform allows organizations to limit the aggregation of data and to specify which data can be saved, printed or transferred, and how, he noted.

The key to using a hardened browser, he added, is to strike an appropriate balance between employees’ need to use data and a security policy that prevents unauthorized movement of confidential information.